Network policies define which pods can talk to which other pods. They’re a critical Kubernetes security control—restricting lateral movement between services, limiting the blast radius of a compromise, enforcing communication patterns that match application design.
They’re also incomplete as a standalone security control. Network policies govern what an attacker can connect to from a compromised container. They don’t govern what tools the attacker has available inside that container to exploit those connections.
What Network Policies Do and Don’t Control?
A well-designed Kubernetes network policy for a frontend service might restrict outbound connections to exactly three backend services on specific ports. An attacker who compromises that frontend pod can’t connect to arbitrary internal services—the network policy blocks it.
But they can still:
- Call those three permitted backend services, probing for injection vulnerabilities
- Exfiltrate data through the permitted outbound connections
- Use curl or wget to reach external endpoints if egress isn’t fully restricted
- Enumerate the pod’s environment variables for secrets
The permitted connections are the attack surface. Network policies narrow it. They can’t eliminate it entirely, because some connectivity is necessary for the application to function.
Network policies restrict which connections an attacker can make. Container hardening restricts what they can do with those connections.
How Hardened Images Complement Network Policy?
Removing lateral movement tools
Container security software built from hardened images doesn’t have the network utilities that enable lateral movement at scale. Without curl, an attacker can’t easily probe internal APIs for vulnerabilities. Without nc or nmap, network reconnaissance is significantly harder. Without a shell, they can’t easily chain tool calls.
An attacker with code execution in a hardened container behind a restrictive network policy has a very constrained set of options. They can send traffic through the permitted connections using whatever network capabilities the application binary exposes—and that’s it.
Reducing external exfiltration capability
Hardened container images without curl, wget, and similar utilities limit how data can be exfiltrated. The application process itself has network capability—that can’t be removed without breaking the application. But the convenience tools that make arbitrary data transfer easy aren’t present.
Combined with egress network policies that restrict outbound connections to known-good destinations, this creates a layered barrier to exfiltration: the network path is restricted, and the tools for exploiting available paths are absent.
Better behavioral detection with fewer false positives
When a hardened container makes a network connection, it’s almost certainly the application process. There are no curl commands running for monitoring checks, no wget for fetching updates, no package manager reaching external repositories. Network monitoring in a hardened container produces less noise, making anomalous connections more detectable.
Practical Steps for Layered Defense
Start with network policy design informed by runtime profiling. Runtime profiling that captures which external connections your application makes is the right input for network policy design. You’re not guessing which services the pod needs access to—you’re observing it.
Apply default-deny network policies and enumerate allowed traffic. The default-deny posture for both ingress and egress, with explicit allows for required connections, is the right starting configuration. This is the network policy equivalent of remove-what’s-unused in image hardening.
Restrict external egress aggressively for workloads that don’t need it. Many internal services have no legitimate need to reach external internet destinations. Deny external egress entirely for those workloads. This eliminates the outbound exfiltration path completely.
Monitor network connections against the runtime-profiled baseline. Use your runtime profiling data to define expected network behavior. Alert on connections that weren’t seen during profiling. This is high-signal network monitoring because the baseline is precise.
Reassess network policies when hardening changes the application image. If hardening removes a package that was making background network connections (a monitoring agent, an update checker), your network policy may be more restrictive than needed. Audit network policies after significant hardening changes.
Frequently Asked Questions
What do Kubernetes network policies control and what do they leave unaddressed?
Kubernetes network policies control which pods can communicate with which other pods and on which ports. They restrict lateral movement and limit the blast radius of a compromise by blocking connections to unauthorized internal services. However, they do not control what tools are available inside a compromised container—an attacker can still use curl, bash, or python to exploit the connections that are permitted by the policy.
How do hardened container images complement Kubernetes network policies?
Hardened images remove the network utilities—curl, wget, nc, nmap, and shell interpreters—that enable lateral movement and data exfiltration at scale. An attacker with code execution in a hardened container behind a restrictive network policy has very limited options: they can only send traffic through permitted connections using whatever the application binary itself exposes. The combination of restrictive network policies and hardened images creates a significantly stronger defense-in-depth posture than either control alone.
How should runtime profiling be used when designing Kubernetes network policies?
Runtime profiling captures which external connections your application actually makes during normal operation. This data is the correct input for network policy design—you’re observing real behavior rather than guessing which services a pod needs. After significant hardening changes, network policies should be reassessed, since hardening may remove packages that were making background connections, potentially allowing existing policies to be tightened further.
Why is defense-in-depth important for Kubernetes network security?
Security controls operating at different layers address different aspects of an attack chain. Network policies operate at the network layer and control traffic flow. Container hardening operates at the workload layer and controls what tools and code are present. An attacker who understands your security posture will target the layer you’ve left unaddressed. Implementing both layers provides significantly more protection than either alone, because they constrain different parts of what an attacker can do after gaining code execution.
Defense-in-Depth Requires Both Layers
Security controls that work at different layers are complementary, not redundant. Network policies operate at the network layer—they control traffic flow. Container hardening operates at the workload layer—it controls what tools and code are present.
An attacker who gets code execution in a fully network-policy-protected container with available curl, bash, and python has meaningful attack capability. An attacker who gets code execution in a minimally protected network environment with a hardened container has minimal attack capability. The ideal is both: restrictive network policies and hardened container images.
Teams that implement one but not the other have chosen half a defense-in-depth strategy. The layer they’ve skipped is exactly what a sophisticated attacker who knows your security posture will target.
The investment in both layers is additive but not proportionally additive in risk reduction. Network policies plus container hardening provides significantly more than twice the protection of either alone, because the layers address different aspects of the attack chain.